jump to navigation

How to enable/disable magic_quotes_gpc in PHP August 29, 2011

Posted by Tournas Dimitrios in PHP.

The magic quotes option was introduced to help protect servers from SQL injection attacks . It effectively executes addslashes() on all information received over GET, POST or COOKIE . Unfortunately this protection isn’t perfect : there are a series of other characters that databases interpret as special not covered by this function . In addition , data not sent direct to databases must un-escaped before it can be displayed on screen . Because it’s inconsistent and ineffective , it’s not recommended that magic_quotes_gpc be enabled . Its recommended that your php scripts have programming/input filtering done so that your databases and site is protected .

You can disable magic_quotes_gpc in the .htaccess file by adding :
# Disable magic_quotes_gpc
php_flag magic_quotes_gpc off
If your PHP script needs magic_quotes_gpc enabled , you can enable it in the .htaccess file by adding :
# Enable magic_quotes_gpc
php_flag magic_quotes_gpc on
If you get a 500 internal server error once you have put the above settings in your .htaccess file , remove them from the .htaccess file and add the following to your php file :
To disable :  ini_set (‘magic_quotes_gpc’, 0);
To enable :   ini_set (‘magic_quotes_gpc’, 1);

  • If the server has magic_quotes enabled and you want to display the values , use this command to remove the extra slashes :
    stripslashes($_POST[‘some-value’]) ;
  • If the server has magic_quotes disabled , you can display the values directly on the screen ( they haven’t modified by the server ) . But before sending these values to the database , they must  sanitized with commands like :
    $value = mysql_real_escape_string($_POST[‘some-value’]) ;
    $value = filter_var($_POST[‘question’] , FILTER_SANITIZE_MAGIC_QUOTES ) ;

The filter extension (FILTER_SANITIZE_xxxxx) is enabled by default as of PHP 5.2.0 . Before this time an experimental PECL extension was used , however , the PECL version is no longer recommended or updated . Just run a phpinfo() file , a configuration block “filter” with “Input Validation and Filtering ” will confirm that the server supports this functionality .

A good practice for displaying $_POST or $_GET content  is to apply the following code :

function unescape($text)
    $text = stripslashes($text);
# usage
echo "You entered: " . unescape($_POST['input'])."\n";


1. Submission to search engines - January 4, 2013

hello!,I love your writing so so much! proportion we communicate extra about your article on AOL?
I require a specialist on this area to solve my problem. May be that is you!
Taking a look ahead to see you.

tournasdimitrios1 - January 4, 2013

Hi ,
Send me a personal message , I would be glad to help you .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s